This blog post discusses the analysis of a malicious IP address, exploring various tools for deeper investigation, including WHOIS, Shodan, AbuseIPDB, VirusTotal, and ThreatBook.io. The findings indicate that the IP address is associated with suspicious services and potential malware activity, emphasizing the importance of detailed analysis in cybersecurity efforts. Affected: IP address, telecommunications sector, cybersecurity community
Keypoints :
- The blog starts with the analysis of a randomly selected malicious IP address.
- WHOIS helps retrieve detailed ownership information about the IP, including contact details.
- The IP address is linked to FPT Telecom in Vietnam, with specific administrative and technical contact information provided.
- A reverse IP lookup and domain resolution were attempted to gather more data but yielded limited results.
- Tools like Shodan and Censys are used to scan the IP for open ports and potential vulnerabilities.
- Details about services running on specific ports are examined, showing possible file-sharing activities.
- AbuseIPDB is utilized to verify if the IP has been flagged for malicious activity.
- User reports on AbuseIPDB provide insights into the type of attacks associated with the IP.
- VirusTotal is checked to see if the IP is recognized as a threat by antivirus engines.
- Observations reveal multiple malicious `utorrent.exe` files connected with the IP.
- The website iknowwhatyoudownloaded helps track torrent activity linked to the IP.
- ThreatBook.io provides detailed reports on attack patterns associated with the IP.
- The investigation concludes with evidence of the IP being used for malicious activities, including hiding identity and bypassing security measures.